AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft • Explain the consequences of malpractice and crime on information systems.

Chapter 10 • Describe the possible weak points within information technology systems. Chapter 11 -

online systems, storage medium, theft or duplication, compromising electronic emanations (tempest), viruses • Describe the measures that can be taken to protect information technology systems against internal and external threats. - Clerical procedures, passwords, levels of access, writeprotect, back-up, restoration and recovery. Describe the access levels required for on-line files • Describe the particular issues surrounding access to, and use of the Internet; e.g. censorship, security, ethics. THE CONSEQUENCES OF MALPRACTICE AND CRIME ON INFORMATION SYSTEMS Theft or corruption of data etc. can prove fatal to businesses and to life itself e.g. • 80% of companies go bust within 18 months of disaster. • Sinking of HMS Sheffield in Falklands war - inability of anti-missile radar to function when a telephone call was being made to London on the same frequency. • Air crashes resulting from errors in flight data stored in airborne computer. Case Study Heathcote P.50 NHSNet is the system used by the NHS to store patients' records. Staff can access the system with a swipe card and there is a firewall between the computer system and the Internet. The NHS says that the system will only be accessed by authorised people who have a clear need to use it and that all operations on the system will be monitored. Others suggest that the sheer number of people who will be using the system will mean that the swipe card system is not a sufficient level of security. Heathcote lists groups of people who might want to steal data from the NHS: • Insurance companies • Anti abortionists • Blackmailers • Stalkers • Lawyers (the ambulance chasing variety) • Companies marketing drugs • Funeral parlours POSSIBLE WEAK POINTS WITHIN AN ICT SYSTEM. 1. Dishonest employees who use the computer system to commit crime e.g. fraud • Bogus data entry e.g. changing or inventing data so improper data is produced Page 1 of 17

g..zen. whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted http://www. • Industrial Espionage Page 2 of 17 . IP Spoofing A technique used to gain unauthorized access to computers. Hardware failure e. Natural disasters e.e.html 3 Attacking the computer • A virus e. “Acts of God” i. stealing electricity • Software piracy • or copying ideas (theft of intellectual rights) • Theft of computer • Physical theft .a disk or software. by an employee using a laptop outside the office) 6. a hard disk failure could render the data inaccessible Disc Crashes 5. fire.g.AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft • Using knowledge of banks’ computer system to embezzle money from inactive customer flood. earthquake 7. running own business on company computers.e. Morris Worm ( a program that replicates itself and spreads from computer to computer • An e-mail bomb 4. • Bogus output • Program patching • Alteration of files • Suspense accounts • Ghost accounts Malpractice • Faulty procedures (e.g. Stealing from the computer http://www. poorly trained employees who don't know how to use the system properly) • Backup procedures not being followed (e.wired.

co. 8.nchadderton. e-mail spoofing Forging an e-mail header to make it appear as if it came from somewhere or someone other than the actual Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft host. a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.htm Page 3 of 17 . http://www. Typically. To engage in IP spoofing. Phreaking Closely related to hacking. phreaking is used to make free calls or to have calls charged to a different account. using a computer or other device to trick a phone system.zen. 9.

it could be given a "boot lock" and sensitive data on the computer could be http://www. there are separate audit trail software products that enable network administrators to monitor use of network For extra security. Audit trails are useful both for maintaining security and for recovering lost transactions.htm Page 4 of 17 . the backup tape is often moved to a secure location e. • Periodic Backup means backing up at specified intervals (e. therefore. do accidental damage To be aware of legislation – see Data Protection Act. Copyright.249 Improve network security • Maintenance contracts • Uninterruptible Power Supply (UPS) • Using tape-streamers • Training Staff • Employing security staff • Using disk mirroring Staff training p. Computer Misuse Set up an Audit Trail P51 http://www. the transaction is still processed). Backup Procedures Health and Safety. containing a significant number of control requirements. Compliance with it is consequently a far from trivial task. In • Maintain the generational system of backups (Grandfather-Father-Son) p.thewindow. See the diagram in Heathcote p.390973. a fireproof safe or a completely different building. even for the most security conscious of organizations.html • A record showing who has accessed a computer system and what operations he or she has performed during a given period of time. every day).AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft MEASURES TO PROTECT ICT SYSTEMS FROM INTERNAL AND EXTERNAL THREATS. Most accounting systems and database management systems include an audit trail • Online Backup is a system by which all data is stored onto three separate disks (if one disk BS7799 BS 7799 (ISO17799) is comprehensive in its coverage of security issues.g.zen.3605. • Timestamping of files to aid the audit So that staff know how to use the system and do not.52 http://www. • In the case of a laptop. Be aware of safe procedures see BS7799 Be aware of the company Code of Conduct.

com/ • A Hierarchy of passwords is often used (see below) Callback Software • Terminal Identification measures include lockouts .e.51 • ID badges for employees • an entry control system to the IT department • keycards • Voiceprints • Retina scans • Checks on prospective employees to combat techno-terrorism • Never use original program disc • Asset register • Caution • CCTV • Smartcards Password Protection • There should be frequent updates of passwords.howstuffworks.nchadderton.zen. you must have access to a secret key or password that enables you to decrypt it Examples of information that would be encrypted are:• Credit-card information • Social Security numbers • Private correspondence • Personal details • Sensitive company information • Bank-account information Virus Protection http://www.html The translation of data into a secret code. To read an encrypted file.253) What is a virus? How might it be introduced? What measures should be taken to minimise the risks? http://www. Encryption is the most effective way to achieve data security. Encryption p.252 about handshaking and the use of one-time passwords.htm Page 5 of 17 .52 Virus protection software and routines (p.AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft Physical Protection p.51 http://computer. read p. three tries at a password and the use of Callback software via modem.

or No Access. http://www. On the school network. Read and Copy (a doctor from another hospital might be allowed to take a copy of a patient record) 4. Businesses also have the incentive to stop employees wasting work time by surfing the Internet for their own amusement.howstuffworks. Firewall http://computer. Basic Group Why is it important to control access in this way? On a hospital network.g. especially intranets. different access levels exist: 1.nchadderton. which examines each message and blocks those that do not meet the specified security criteria.AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft RAID. This ensures that users within a company can only change data they are authorised to do so. No Access (receptionists will not be allowed any access to patients’ records) 2. ICT Technician s (full accessrights) Teachers (have access to shared folders and their student work) 3.g.htm Page 6 of 17 .uk/schools/?INDEX=ALL Some companies and schools use the Internet through a "firewall" that controls what is accessible on the Internet e. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. Read/Write.ngfl. Students 4. Technical support staff could have access to sensitive data when they are repairing computers). 10 minutes).com/firewall.htm A system designed to prevent unauthorized access to or from a private network. Contingency Plans/Disaster Recovery Plans Insurance Secure Power Supplies Verification/Validation Checks Internet monitoring http://safety. Read and Update (only the patient’s own doctor would be allowed to update a record) Problems still exist. 2. All messages entering or leaving the intranet pass through the firewall. or a combination of both. Firewalls can be implemented in both hardware and software. the access levels might be: a school may have a filtering system so that students cannot access undesirable Managers are also worried that employees might be downloading pornography or using the company Email system improperly.zen. people can leave terminals logged on (terminals could be set to shut down after a specified period e. Read Only (junior nursing staff would be allowed to read records but not to change them) 3. There is also a fear of litigation. For example. Redundant servers Access Rights and Access Levels Access rights may typically be set to Read-Only.

http://www.AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft especially in the United States where some women have sued for "sexual harrassment" because they have been sent offensive files or 1999 the New York Times fired 23 office staff who had been Emailing smutty jokes to each other.nchadderton.zen. Case Study .htm Page 7 of 17 .

co. The data could be read.zen. altered or destroyed by persons not authorised to do so. • Give five examples of how unauthorised access to data might occur and how you could prevent them. or modify data deliberate introduction of viruses to destroy data techno-terroism theft of data or any examples in context modification of data/code to perpetuate fraud b any from physical security of systems and rooms do not leave terminals active and unattended document security hardware security and identification devices levels of passwords-do not reveal passwords audit procedures encryption dismissed staff leave premises immediately or any examples in context 1991 (16 marks) There are three ways in which the security of data within a large company database may be compromised. (6) http://www. • Give three distinct examples of computer related crime • Give three steps that can be taken to help prevent computer-related crime ANSWERS a any from: hacking to gain access to.AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft EXAMINATION QUESTIONS 1996 (6 marks) The illegal use of computer systems is sometimes known as computer-related crime.htm Page 8 of 17 . (10) • Give three examples of how data might be altered or destroyed and the way each example could be prevented or

htm Page 9 of 17 . Have a menu system which does not give update facilities to everyone have an extra password necessary to allow alterations. In a time sharing situation. control access to room where large scale magnetic storage is used to avoid sabotage by a large magnet. unauthorised terminal. Re-site the terminal to make users log-off before doing something else. Access to registered users to areas for which they have no access rights. Data might be left on the screen and read by a passer by. b Any three from to control altering data. Make access to other areas impossible by forcing them to use a menu driven system tailored to their legitimate needs. Discs could be stolen and read elsewhere. Computer could automatically log them off after a few minutes of inactivity could be controlled by smart cards or keys Terminal hardware must identify itself. Make everyone register and be given Personal Identity Number before they can log-on to the system. Do not write it down or lend your password Lock them up. Unauthorised access to rooms where terminals are sited Data could be read via access from a remote. make sure recent back-up or roll-back facility make sure backup equipment or data is stored elsewhere. Fit the terminal or the room with a screen which absorbs those emissions. User would also have a private password. http://www. make access to other users’ directories by a further password Re-site the screen.nchadderton. in case of fire destroying equipment or data. where read access to the data has to be allowed. Data could be read directly from the screen if the screen is facing the window Data could be read from the screen by a radio device outside the building tuned to receive emissions from the Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft ANSWERS a Any five from Unauthorised use of the system. if volatile data is corrupted or destroyed by a power failure. The ID and password of an authorised user can be

lock away) and fireproof storage or any natural disaster off-site storage physical write protect use a sequence of tapes to avoid overwrite WHEN to backup (1) backup only changed files daily verify/write ( IF verify is in a or b need different) 1995 (20 marks) “Criminal activity and malpractice in connection with the use of Information Technology Systems is one of the fastest growing areas of crime. but many organisations are loath to admit there is a Page 10 of 17 .zen.nchadderton. The main uses of the system are word-processing and the maintenance of customer and property details. Although the majority of files are stored on the network server the manager of the agency holds certain confidential files on her own station only. http://www.” Excluding the area of viruses discuss this statement.AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft 1995 (10 marks) An estate agent uses a PC based network system to assist in the operation of its business. Include in your discussion:• at least three specific examples of areas of criminal activity • specific examples of the types of people who may get involved • possible reasons why organisations are loath to admit there is a problem • at least three specific examples of countermeasures which can be taken to minimise the You are asked to devise an efficient backup strategy for the system.g. a What hardware is required to enable the whole system to be backed up? (2) b Give three features of the backup software that will be required to enable an efficient strategy to be devised (3) c Suggest an appropriate backup strategy (3) d What physical precautions should be taken with the backup media to ensure that recovery can take place? (2) ANSWERS (a ) • a tape streamer (1) and a local disc for the station (1) • accept CD-ROM drive with the ability to master or CE-WORM • portable external hard disc (b) mirror image backup all files backup only changed files procedure customisation backup selected file types/save set automated backup at specified time recovery of all files recovery of selected files (1) to different paths (1) backup stand-alone whenever there are work concurrently with System Audit Log changes verification concept (c) WHAT to backup (1) any further explanation (1) backup all files once/twice per week write protect confidential files on separate station require backup (d) • • • • secure (e.

4 for presentation/coherence Paragraph 1: Introduction. market prices.zen.AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft MARK ALLOCATION 6 points on areas of criminal activity.g.g.nchadderton. Traffic tracking of a company use of a wan. Some agencies exist which will perform specific tasks e.political extremists taking action against computer installations e. 4 for why organisations loath to admit there is a problem. Many companies gather information on competitors by legitimate means e. Conferences. forecasts. current deals Vandals: hacking into systems to cause deliberate data corruption Users: following non-standard working practices e.g. stock movements.htm Page 11 of 17 . What have you been asked to do? Paragraph 2: A discussion of at least three Areas of criminal activity Hacking (1) Explanation/definition (1) Computer fraud (1) Explanation/definition (1) Industrial espionage (1) Often a multi-national company has a larger intelligence gathering service than a small company e. Virgin v british airways database case is another example (1) Deliberate malpractice by an employee (1) Explanation/definition (1) Terrorism (1) Explanation/definition (1) Organised crime (1) Explanation/definition (1) Pornography (1) Explanation/definition (1) Software theft (1) Explanation/definition (1) Data theft (1) Explanation/definition (1) Tempest (electronic emanations: radiation Explanation/definition (1) security) add Faraday cages (1) Non-registration of DP act (1) Plus explanation of the illegal activity (1) Paragraph 3: A discussion of the types of people involved but no marks are given for duplicates Disenchanted employees: either as ‘insider help’ to assist external attackers or ‘self-interest’ or ‘redundant’ staff Military intelligence services: exchanging of information between allies can be tapped Industrial intelligence services: competitors intercepting information on Using system time for football pools projections or distributing pornography Terrorist organisations . 4 for types of people Gdp of austria is lower than general motors. Physical destruction of railway signalling centre Media/newspapers: similar to industrial intelligence Professional criminals: organised fraud involving significant groups of people e.g. advertising agencies.g. 6 for countermeasures. Visa credit card fraud Small organisations: failure to register under DP Act as they think they will not get caught Paragraph 4: A discussion of why Organisations are loath to admit there is a problem Inability to take effective action to stop the problem Loss of credibility (with the public and with other organisations) which subsequently affects business May lead to ‘copy cat’ activities Potential for staff morale or industrial relations problems if it is internal Paragraph 5: A discussion of at least three Specific countermeasures http://www.g. newspapers.

The manager of the group becomes concerned about software copyright and the potential dangers of viruses but does not fully understand the issues involved. Page 12 of 17 . (6) B. termination procedures protect hardware from tampering.nchadderton. Explain what is meant by a virus (3) C.g. (6) a Treat as book One copy in use at a time being passed to another user Multi-user Usually one/half the number of master discs with agreement to copy onto a specified number of machines for multiple use at any one time Network license Normally software resides on host with a specified number of stations on that single network being given access at any one time Site license License extends to cover all machines within that institution b A software routine which once introduced into a system replicates itself whenever the program to which it is attached is run on some flag e. recording use. accounting for. audit control of design and development. disciplinary procedures. maintenance procedures. authorisation of sensitive tasks. checking of baggage and supplies. two person authorisation levels to task. clear screens when not in use. deterrent effect. control of installation and upgrades VDU away from windows.AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft physical security choice of location. avoid metal areas. reports need to entry to specific areas. fault tolerance. Describe two different methods of protecting the organisation against viruses.g. heat handling. date or when copied http://www. A. avoid phone areas encryption. electricity. purging of all documents used in the system e.zen. tendering for supply and maintenance protection by the OS. time. hardware identification devices. air conditioning. passwords or staff ID badges. entry to site. penalties and possible loopholes discuss registration need. dial-back systems discussion of offences. NOT detailed analysis document security: personnel security hardware security software security: Tempest: Comms and network security Computer Misuse Act DP Act is relevant in a general sense: Paragraph 6: Conclusion 1994 (15 marks) A local group of electrical retailers uses a computerised system to assist in the administration of its business. Describe three different types of software licensing agreement which are currently offered by software producers. rotation of duties. data collection. penalties. recruitment screening. separation of software and devices. protection of services e.

backup systems. flag discs/files to read-only. • Describe FOUR of these possible actions. coffee Hardware failure Processor failure.zen. 5 minimise consequences of failure. organisations and individuals are now so dependent on IT systems that the consequences if these systems were to fail would be catastrophic. do not borrow software. • Describe THREE steps which should be taken to protect the data against deliberate theft or corruption. Upgrade.g. Rounding. limit access to drives.What have you been asked to do? How will you answer? Paragraph 2: A discussion of at least four of the Threats or causes of failure Physical Fire. duplicate systems. undiscovered corruption e. (6) 1997 A common way of permitting different levels of access to on-line files is the use of passwords.” Discuss the major threats and description 1996 A multi-national organisation maintains an information technology system which holds a large amount of vital and sensitive data.g. Branded discs.check discs before use on a ‘sheep-dip’ station using a toolkit utility and remove it Guards: install a guard utility on all stand-alone machines which automatically tests any disc and remove it Virus programs need regular updates . restrict links to communication systems Toolkits .g.nchadderton. rats eating (6) • Describe THREE steps which should be taken to protect the data against accidental loss. 5 for minimise risk in context of threat. flood. London ambulance service or european airbus Paragraph 3: A discussion of what Steps can be made to minimise the effects of failure Physical Regular maintenance. of an IT system and explain what steps can be taken to minimise them or their consequences. or possible causes of failure. keyboard protectors. unsuited to task Invalid data User errors. processing cycle fault Computer crime/abuse Hacking.AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft • • • • Physical limitations e. data corruption. gateway down Data control failure Data inaccurate e. (4 marks) 1994 (20 marks) ‘Society. reduce links to external networks. disc crash Telecommunications failure Cable faults. human restrictions (explain) Hardware Restricted access/usage. reputable suppliers Telecomms Regular maintenance. uninterrupted power supplies. dependent on the level of access given by that password. power failure. duplicate systems. viruses System design failure Failure to build into the design the appropriate measures e. Once a password has been input the user may be allowed to perform a number of different actions upon the data within the files. clean backup and recovery installation of http://www. MARK ALLOCATION 5 points on threats/causes of failure. incorrect codes Software failure Bugs. 5 for presentation and argument Paragraph 1: Introduction .htm Page 13 of 17 .

batch & control totals. reputable suppliers. two levels of access that could be given to different categories of users of an on-line stock control system.ability to add delete and amend records of stock e. alternative node points Software failure Maintain sequential backups. THIS IS OFTEN MISSED OUT BY WEAK STUDENTS!!! Physical Duplicate systems. delete a product out of stock. authorised upgrades Validation. hot line system support contracts. routine backups Log of usage. 5 voting cpus Paragraph 5: Conclusion June 2001. • Sales staff – read/write access (1) need to be able to see details about stock and to change data as sales are made (1) • Store manager – read/view only access (1) .g. duplicate command systems e. virus checking Validation of design. how to recover if it does fail. This question is about the types of access that can be given not how it is controlled and so nothing on passwords. with reasons. avoidance of interference causes Data control systems e. PC Anywhere links with support supplier Invalid data Journal logs and incremental backup procedures with roll-back Computer crime/abuse As above + toolkits giving disc recovery System design failure Failsafe systems. data validation methods.g. routine backups Password or encryption. manual override (if feasible). change prices (1). acceptance testing. etc gains credit. log of processing cycle. authorisation. Allow Full Access rights: 1 mark terms plus 1 for explanation • Read • Read/Write • Amend • Delete • Add/Delete/Write/Append http://www. error logs.g.AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft appropriate spec.e. duplicate design teams Data Control Software Invalid Data Computer Crime/Abuse System Design Failure Redundant/Departing Staff Lead Off Premises Or Disciplinary Measures As AntiVirus/Password Offence Paragraph 4: A discussion of the Steps to minimise consequences i. add a new product. Explain.nchadderton.needs to be able to view(read) data but not change it(1) Any 2 °— 2 marks 2nd mark dependant on first. 4 marks Examples • Stock manager–read/write access (1). Cable.htm Page 14 of 17 . standby systems Hardware failure As above plus backup files and roll-back Comms failure Alternative gateway restriction of users.

Can accept theft of components as an example. Information Systems need to be protected from both internal and external threats.AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft January 2002.nchadderton. Accept Natural Disasters – Power Examples • Audit trails/Backups – MUST explain how they protect (so either 2 or 0) • Firewalls (1) prevent access to/corruption of data from external sources (1) • Encryption (1) used to prevent misuse of data if intercepted during transfer (1) • Physical measures – locks/guards/ CCTV (1) prevent unauthorised access by non employees (1) • UPS (1)-prevent loss of data when power lost (1).5.zen. External threats come from outside the company or organisation/ caused by people from outside the organisation (1) example (1). (a) Explain. b) (i) Internal: 1 mark for measure and 1 mark for explanation of how measure prevents threat Examples • Procedures for using disks/virus checking/ (1) prevents employees introducing virus onto network (1) • Auto save/ confirmation of delete/ other software functions (1) designed to prevent loss/corruption of data from careless mistakes (1) • Passwords & Ids/Access levels (1) to prevent unauthorised modification. 4 marks (b) For each of the following. hacking is either internal or external but not NB Examples may only be used once e. the differences between an internal and an external threat to an Information System.htm Page 15 of 17 . 2 marks (ii) External threats. using examples. http://www.(1) • Guidelines on working practice (1) to prevent health and safety issues with employees/ loss of staff from illness etc • Good pay/benefits (1) prevent loss of experienced/vital staff (1) • Code of conduct (1) to prevent…(1) • Training of staff (1) to prevent misuse/accidental mistakes (1) • Security cameras/CCTV etc must explain how it prevents (2 or 0) (ii) External: 1 mark for measure and 1 mark for explanation of how measure prevents threat. 2 marks a) 2 °— 2 marks Internal threats are from within the company or organisation / caused by own staff(1) example (1). describe a measure that a company can take to protect his or her Information System from: (i) Internal threats.g.

htm Page 16 of 17 .AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft June 1999 3 Different levels of access can be provided for on-line files which permit users to perform a number of different actions upon records within the files.nchadderton. lack of work being done and therefore low productivity (1) Misuse of data (1). preventing company being liable under copyright laws(1) Misuse of Internet facilities (1). preventing company from having wasted resources ñ staff time and phone costs(1) Misuse of email facilities (1).zen. rename file. Give four of these possible actions. which are covered MUST BE RELEVANT TO IT AND NOT GENERALISED SOCIAL/ETHICAL/MORAL NB A CODE OF PRACTICE IS DIFFERENT TO A CODE OF CONDUCT http://www. copy file etc will not be given any credit. still give mark Amend record CANNOT ALLOW EXECUTE NONE – Not acceptable Allow PRINT a record companies now have a code of practice for employees working with information technology a) Explain what is meant by a code of practice. therefore delete file. (4) Marks must only be awarded where the action is on a record within the file. stopping company from having large maintenance bills or replacement costs(1) Misuse of software (1). Answers should include any four of the following: Add a record Append a record Delete a record Read Read only Write Read/write View a record Read/Write View part of a record Edit a record The answers could be of the read/write type or of the add a record type – both are valid as they are actions on a leaving company open to prosecution under Data Protection Act (1) Gives company option of dismissal (1) if Code of Practice not followed (1) Better trained/informed work force/higher level of employee skills (1) Due to interchange of ideas/skills (1) Importance is that it is misuse rather than illegal operations. If the word record/data is not present. 3 marks A set of rules/policy/guidelines/Procedures/Standards (1) belongs to an organisation/employer/company (1) governs the behaviour and action of members/employees(1) b) Explain three benefits to a company of having a code of practice 3 x 2 = 6 marks Need to cover eventualities such as preventing the : Misuse of equipment (1).

7 (8 marks) The use of laptop computers by company employees has increased the threats to ICT systems.AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft 2000. http://www. that may be taken to maintain the integrity of data against malicious or accidental other than passwords. three measures.nchadderton.htm Page 17 of 17 .co.Describe. Describe four threats to ICT systems caused by employees using laptops. DO NOT ACCEPT PASSWORDS or LEVELS OF ACCESS Use of copies of sensitive data for day-to-day use ñ master copies only updated at end of day/week (1) plus (1) for reason Use of virus baths/virus software/firewalls to prevent deliberate damage to data (1) plus (1) for reason Clear set of internal procedures for staff to follow when using data to prevent use of own software/data from dubious sources etc (1) plus (1) for reason Audit trails (1) to record use of data by whom when etc (1) Good selection and vetting procedures for new staff (1) to prevent any person with a grudge or ulterior motives being employed(1) Physical/Automatic log off of terminals (1) to prevent unauthorised access (1) Keyboard locks (1) as above (1) Physical restrictions on access to equipment (1) reason to restrict access (1) Regular backups (1) to ensure data kept as up to date as possible in the event of accidental damage (1) Not staying on line longer than necessary(1) to reduce chances of hacking(1) Write protection of disks/files(1) to prevent overwriting/damage to data(1) Encryption/Encoding (1) Restriction on use of floppy disks (1) Callback system for log-on (1) Authenticity of software (1) Screensavers (1) Software measures to protect data Better training Plus other realistic examples (allow only one locking mechanism) Any 3 x 2 marks ñ one for describing one for reason Measure (1) plus Explanation (1) 6 MARKS June 2003. with reasons.zen.5.

Sign up to vote on this title
UsefulNot useful